↬ I'm Ivan Krstić (@radian). This is a personal site; I speak for no one but myself.

From Scandinavia with Love

I have three observations about Finland: it’s cold, expensive, and there are little naked people in the headboard of my hotel bed. (Stay classy, Radisson SAS.)

I was in Helsinki last week to deliver the keynote at T2, a phenomenally organized little security conference that attracts some very smart people. At less than a hundred attendees, it’s a much more intimate and social conference setting than I’m used to, and I just had a blast.

My talk on the bitter and miserable tale that is desktop security was two hours long, which is about double the length of my usual keynotes. In preparing the presentation, I pulled together a lot of material that I had floating around in various places, and I’ve decided to turn the result into a longer essay on desktop security in lieu of posting my slide deck directly. Until I do so, let me share a few conference highlights.

Outpost24‘s Jack Louis and Robert E. Lee, two American expats now living in Sweden, gave an amusing demo of their sockstress TCP/IP state table attacks, which have been getting some attention lately. They’re working with vendors and didn’t make public any technical details of the attacks, but the attacks do look Very Serious. They also look rather misunderstood. This isn’t Yet Another Connection Flood or a SYN cookie problem. The demo brought a fully-patched XP machine to a complete freeze in about three minutes with only 30-40 (malicious) connections per second, and network utilization at the victim floating around 0.1% of 100Mbit/s. I have several ideas about what’s happening and hope to independently verify some of the attacks in the lab, but at first glance, these guys have only scratched the tip of the iceberg in what’s a rather unpleasant class of attacks. We’ll probably be dealing with this mess for a good, long while.


Sockstress demo. Pinball on the victim machine starts lagging and then comes to a total standstill with the rest of the OS in a few minutes.

The Pirate Bay‘s founder, TiAMO, gave a talk with Toolcrypt‘s olleB about IPETEE, their idea for a mass-deployed, application-transparent opportunistic encryption system to prevent wide-scale passive wiretapping on the Internet. The original proposal made me very uneasy, being an obviously amateur design with highly questionable design choices; I spent some time talking to the guys, and as I suspected, they’ve done neither protocol design nor crypto before. Luckily, they’re quite sharp and very good sports, and after several conversations, I think I’ve convinced them to consider making IPETEE just a zero-configuration transparent (D)TLS/AES-CTR implementation with null certificates. It looks like this can be massaged into addressing their threat model and design requirements fully, and might actually make a pretty neat system.


Yes, this man runs the website that continues to have great success pissing off the world’s most powerful media lobbies. He’s also great fun to drink with.

Finally, the Finnish security giant F-Secure is headquartered a subway stop away from the conference hotel, and their research chief Mikko Hyppönen kindly invited me over for a tour of their lab. F-Secure does a lot of excellent malware research work, and a look at their backend tools paints a frightening picture. They currently operate a 17TB malware archive consisting of about 14.5 million samples — managed, of course, through a Python web frontend. They’re receiving 50 thousand malware samples a day, of which 15-20k are unique, and have some frightening visualizations including a real-time overlay of viral infections and botnets within Google Earth. I also took a look at their cell phone malware testing lab which, through a partnership with Nokia, is able to simulate a real GSM “red” network for securely examining malware which sends SMS or MMS messages, or otherwise requires cellular connectivity.


Execution flow visualization for the Bagle worm. Boxes are subroutines; they start blue and turn red when invoked.

And how do they keep the cell phone viruses they’re examining from spreading wirelessly? They do all the testing in a walk-in Faraday cage, of course! “35 GHz, stops everything,” Mikko tells me excitedly, then for a split second sounds crestfallen: “Except radar.” (I have it on good authority that Apple isn’t planning to add a radar dish to the next version of the iPhone, so Mikko has little immediate cause for concern.)



T2 is an excellent conference, and I had a great time with some very fun people — if you can attend, I recommend it wholeheartedly.


The T2 speakers’ dinner, at the excellent restaurant Lappi.